The funniest part about these discussions is that we're discussing an optimizati... | Hacker News

Hacker Timesnew | past | comments | ask | show | jobs | submit

		tptacek on July 16, 2010 \| parent \| context \| favorite \| on: Password crack [affecting OAuth and OpenID] could ... The funniest part about these discussions is that we're discussing an optimization that exclusively helps attackers. Virtually all HMAC candidate hashes are correct all the way through the final byte, meaning that even in a classic short-circuited compare, you still have to read everything. In virtually all traffic, you never get to take that short circuit. The only time short-circuited comparisons ever make things faster is when an attacker is waiting for a rejection.

gmonroe on July 16, 2010 [–]

However, in many high-level languages == is written in C, and reimplementing it in the high-level language can be quite slow in comparison.

caf on July 17, 2010 | [–]

You know, it'd be handy if such high-level languages implemented a separate =$= operator that worked just like ==, but was timing-independent.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact